Bug#1109118: debian-security-support: Mark libsoup2.4, libsoup3 with limited support for SoupServer?
Simon McVittie
smcv at debian.org
Fri Jul 11 18:11:17 BST 2025
Package: debian-security-support
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>, libsoup3 at packages.debian.org, libsoup2.4 at packages.debian.org
libsoup is a http client and server library mainly used by GNOME,
originally for SOAP and similar RPC protocols but later extended with
generic http functionality similar to e.g. libcurl. It provides both
client-side and server-side functionality, as well as utility code that
is shared by both sides.
Its upstream developers updated its documentation in 3.6.1 to clarify
that they do not recommend exposing SoupServer to untrusted http
clients:
<https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28>.
If this advice is followed, it would mitigate many of libsoup's
current CVEs.
Conversely, the client side of libsoup *is* intended to be safe to use
against untrusted servers, e.g. in epiphany-browser aka GNOME Web
(although it is also affected by some of the current CVEs, which I am in
the process of wading through).
Should it perhaps be marked with something like this?
libsoup2.4 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28
libsoup3 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28
(I'm sure you can think of better wording!)
smcv
More information about the pkg-gnome-maintainers
mailing list